AADSTS50020: Calling principal cannot consent
Hi,

I have a problem with using office 365 api to authenticate user.
Once a normal user (not admin) try to login, it will show error:


Sorry, but were having trouble signing you in.
We received a bad request.

Additional technical information:
Correlation ID: 394eb8eb-4b16-4a9b-b3ea-054467c87e58
Timestamp: 2014-10-03 07:11:41Z
AADSTS50020: Calling principal cannot consent due to lack of permissions.

I did a research online, found this article, but it can't solve my problem.

http://blogs.msdn.com/b/exchangedev/archive/2014/06/05/managing-user-consent-for-applications-using-office-365-apis.aspx

I checked it and found that it allows User Consent.

Do you have other solution to solve this issue?




  • Edited by lawrencewong Friday, October 03, 2014 8:02 AM
  • Moved by George Hua Monday, October 06, 2014 2:52 AM Moved from apps for Office forum
October 3rd, 2014 10:41am

Hi,

Thanks for your information.

This forum is used to discuss questions about apps for Office.

From your description, I have moved this thread to Exchange Server Development forum since the issue is more related to Exchange.

Thanks for your understanding.

Regards,

George.

Free Windows Admin Tool Kit Click here and download it now
October 6th, 2014 5:52am
Hi,

Can anyone help to solve this issue?
October 8th, 2014 9:39am
Having same problem. Can anyone help?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2015 10:18pm

There's a couple of possibilities here. One is that the organization admin for the user that's signing in has disabled the ability for users to consent to apps. The organization admin can check this via PowerShell:

Get-MsolCompanyInformation | fl DisplayName,UsersPermissionToUserConsentToAppEnabled

If the value for UsersPermissionToUserConsentToAppEnable is false, then that's the problem. If it's true, then the other thing to check is that your app is not requesting admin consent. This is done by including "prompt=admin_consent" in your authorize URL.

If the admin has not disabled user consent, and you are not requesting admin consent in your authorize URL, please post your error text (with timestamp and correlation ID) and I'll ask the Azure guys to look at it.

February 12th, 2015 9:57am

Hi Jason, I think you mean this setting? (it was already enabled)

Strange is that with the same user(who is not and admin) I was able to authenticate for the "OneDrive for Business" use on the Windows Phone OneDrive app without issues (I want this same thing for my app).

This is the error I get (even using admin_consent):

Correlation ID: 5eacb825-ac58-45db-84bd-76ab1e135d21 
Timestamp: 2015-02-12 16:55:29Z 
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators. 
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2015 12:02pm

If you use admin_consent, only admins can log in. So you don't want to use that flag if your intent is to let normal users consent for their own data.

What permissions have you configured in your app registration?

  • Proposed as answer by Jandieg 5 hours 11 minutes ago
February 12th, 2015 1:41pm

I had Application Permissions="Read directory data", but after unchecking it now works.

Thank you!

Free Windows Admin Tool Kit Click here and download it now
February 13th, 2015 1:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics